Reputation or "Cloud" Based Protection - when good Ideas go bad

Since I seem to be moving from tumblr to DTH permanently, here is a re-post of an older article on a topic which I think is still important for folks to be aware of.

Reputation Based Protection is a good idea to complement classic signature based and heuristic malware detection.

Some antivirus vendors have already added cloud based reputation services to their antivirus products.

How do those services work?

One example could be, that a URL in an email, an email-attachment or a URL that is being typed into the browser is hashed, the hash being sent up to the reputation service cloud and then the hash being compared to a database of hashes of URLs that are known for spreading malware. This way, the original URL (which could accidentally be the URL of your internal SAP-portal or other sensitive, non-public systems) would stay unknown to the “cloud”, unless its hash is already in the database.

But how does the “cloud” know if a URL is malicious or not?

Well, the vendor could actually crawl the internet like google does. Google not only crawls the internet for search but also analyzes sites for malware. This information is used for the Google Safebrowsing Diagnostics service.

Well it turns out that some vendors are optimizing this process by simply passing the complete URL or ip-address to the cloud.

Today I had one client testing a webapp through their own proxy. The requests he sent appeared in the access_log - but not only the requests that originated from the proxy-addresss. The exact same request was sent again some minutes later from an IP-address in San Jose, onther one from Los Angeles. Weird, huh?

The addresses are registered to Trend Micro - and guess what - the proxy admin confirmed they are running Trend Micro on the proxy. What he did not know was, that each and every URL that went though the proxy was being copied to a server located in another country. D’OH! Now that’s some privacy issue, or isn’t it?

So it seems that Trend Micro is requesting every URL that it has detected on an agent installation at the customer from their own servers in the US, analyzes what comes back for malware and then eventually blacklists the URL or site if it finds any malware.

Further research on behalf of the client turned up the following:At least some of the source ip addresses of this Trend Micro service have beenlisted by projecthoneypot.org for “comment spamming behavior”.

Yep - this IP is from Trend Micro (anti virus). I thought they fixed this bug but now it’s coming back. I have a chat board and what happens is Trend Micro is caching outbound data up to its servers and then a few minutes later, re-posting them. To me this is a serious security and personal privacy flaw. They have hundreds of IP addresses and I had a bunch in my deny list until they fixed it. Now it’s time to start adding them again.